AppGuard 4.x 32/64 Bit - Releases

The vast majority of files shipped with Windows in C:\Windows are unsigned.

Blocking unsigned Microsoft files from C:\Windows will break some Windows functionality; unsigned Microsoft files execute from C:\Windows all the time as part of Windows' normal operation.

AppGuard cannot differentiate between an unsigned file from Microsoft or a malware publisher.

Besides, in Protected Mode nothing can be installed\written to C:\Windows, except by Windows Installer, and then only if the *.msi is digitally signed by Microsoft - or - written by an un-Guarded application - or - the user defined C:\Windows as an exception folder with write permissions.

 

I have the same view as you, but maybe BRN should not allow users to add Windows Folders to the user-space then. What about Windows temp folder? Do you think it would break Windows, or just stop some Windows update functionality? Since AG currently allows Windows Folders to be added to the user-space we should hear what expected behavior should be from BRN.

 

I agree. I know what I have seen when adding any System Space to User Space, but I will wait for Barb's reply.

My tinkering indicates that, while you can add C:\Windows sub-directories to User Space, executions will still be permitted.

 

No, i wasn't able to execute it outside of the windows-directory
c:\!\unsigned = Blocked
c:\windows\!\unsigned = not blocked

My plan was to add only subdirectories of c:\windows, not the whole directory c:\windows.

yes, maybe it should be not allowed to add a Windows Folder...
Let's wait for an "official statement"

 

I just upgraded when prompted to version 4.3.13.1. I waited at least 10 minutes and there was no prompt saying that the upgrade was finished or a prompt to reboot. AppGuard could not be opened. The AppGuard process was running. I found out that the AppGuard Service was not running, so I started the AppGuard Service and AppGuard could then be opened.

I rebooted and AppGuard 'seems' to be working OK. Would an uninstall/reinstall have been better? I want to make sure that AppGuard was upgraded properly.

Thanks in Advance.

 

Most people here have installed 4.3.13.1 "over top" of earlier versions without incident - but what you are experienced is not unheard of.

I would just observe - or - just uninstall\reinstall - whichever you so choose.

 

Barb emailed me yesterday, and she said if they decide to make AG block unsigned files from System Space Folders that have been added to the user-space in Protected Mode then we may see that fix in the next build.

 

That is good idea. Thanks @Cutting_Edgetech.

 

No problem.

 

@Barb_C

Here is another unclear block even while in Install Mode (while uninstalling Webroot):

02/26/16 23:53:20 Prevented <pid: 2052> from writing to memory of <persistence Module>.
02/26/16 23:51:35 Prevented <Windows host process (Rundll32)> from writing to memory of <persistence Module>.

pid: 2052 = rundll32.exe

Protected resource: c:\windows\system32\igfxpers.exe

Guarded applications are still blocked while in Install Mode ?

That's only conclusion I can draw based upon the above.

 

Same here, but then I realized there was a new AG icon on my desktop, so I guessed I just needed to reboot my laptop, which I did. And now it is working as usual. Besides, the gui does mention version 4.3.13.1, so I guess it's ok.

 

Thats is exactly my experiance.
Everything seems ok after the reboot.

 

Very good

Yes and No. There "can" be problems, if a guarded app is updated. Even if you set AG to Install Mode. I experienced it myself.
(a) Turn AG off
or
(b) Unguard the Application temporarily

 

Yes, these are the type of things they really need to focus on fixing. I don't think AG should be blocking this in Install Mode. Even Windows updates install successfully on my machines in Locked Down mode. It's strange that AG would behave like this in Install Mode. Another thing they really should focus on in my opinion is figuring out how to give file names with Process ID's so the user knows what is being blocked.

 

Sorry for a stupid question, but is AG v.4.3.13.1 stable or still beta?
It can be downloaded here

http://www.appguardus.com/index.php/appguard/personal/personal-support

GUI (Advanced tab) informs me that 'Update not available'.

 

Yes, appears it is now stable. Beta has same hash as release version on their webpage.

 

+1

 

30 minutes after the update process had begun the AG tray icon still indicated the service was disabled, and that it was still in the process of updating. The update process at no point informed me I needed to reboot. The upgrade did not occur successfully until after a reboot. Something really needs to be done about their update process/module. I hate to say it, but it's the worst I have seen.

updated 2/29 @ 11:55
I reported the update problem to Barb.

 

It seems the information I was given from BRN was not correct as Barb already pointed out. I just did my own testing, and discovered that AG protection does not begin until approximately 30 seconds after the desktop has loaded. This is the behavior I am seeing on my machine. I rebooted at least 10 times, and used a stopwatch. AG protection enables itself at about the same time my wireless internet gains internet access, but I think this is only coincidence. I executed GMER (unsigned executable) each time approximately 28-30 seconds after the desktop had loaded. I do not find this satisfactory. This may not prevent an infected USB device from infecting the computer.

 

I just did my own testing, and discovered that AG protection does not begin until approximately 30 seconds after the desktop has loaded. This is the behavior I am seeing on my machine. I rebooted at least 10 times, and used a stopwatch. AG protection enables itself at about the same time my wireless internet gains internet access, but I think this is only coincidence. I executed GMER (unsigned executable) each time approximately 28-30 seconds after the desktop had loaded. I do not find this satisfactory. This may not prevent an infected USB device from infecting the computer.

 

Isn't the AppGuard service always running ?

 

I agree entirely with this statement. In most cases knowing nothing but the PID when you get a notification that something is blocked is completely useless. Several times I tried to find the PID with task manager... in vain. After a while it starts to be annoying. In my opinion BRN should put it somewhere near the top of their to-do list...













I

 

From this: https://www.wilderssecurity.com/threads/appguard-4-x-32-64-bit.355206/page-173#post-2562392
schtasks.exe should have been "ignored" by default. It would have been fine if it is blocked once or twice a day. But it is blocked multiple times a day.

Thanks for the search option of wilders, I got my answer to ignore the blocking event.


Also, @Barb_C , the current version still blocks something, at least in the GUI, even if AppGuard is Off.

 

I don't know at what point the AG service becomes active during boot since I have been informed different things. The one thing clear is AG is not preventing executions until approximately 30 seconds after my desktop loads. I'm able to execute GMER (unsigned executable) from my desktop with no problem for the first 30 seconds after the desktop loads. Bouncer, and ERP protection is active much earlier than this.

Edited 2/29 @ 10:16 pm